DAI blocking one host from going to another vlan

Jeremy Dubrulle · ‎12-07-2016

Hi,

I've attached a picture of the topology for my problem.

DHCP Snooping and DAI is configured on the 3 switches (it's on switch L3 because hosts are also connected) for vlan 1 and 30 and the trunk ports are trusted.

The problem is that pc1 can't reach any other vlan when DAI is enabled for vlan 1 on Switch L3. All other devices are working well.

If I disable DAI on vlan 1 on switch L3, pc1 can reach everybody.

If I disable DAI on vlan 1 on switch L3, pc1 can reach the interface vlan 1 of sw1 and pc4 and pc1 and pc2. But NOT interface vlan 1 on switch L3 172.17.1.1 and devices on other vlans.

The DHCP binding of pc1 is in the snooping binding databse of sw1. The ports between the switches are all trusted. The ports connected to the pcs have all the same configuration. The problem doesn't exist for the phones, even the phone of pc1.

I don't understand why the packets can go from pc1 to pc4 for example, because they have to go through switch L3, so they are accepted by the switch (furthermore DAI is trusted on the trunks). And they can't pass to another vlan with DAI enabled. Seems like they can come into the switch but not over interface vlan 1, AND JUST FOR ONE PC.

The conf is simple on switch L3, no ip arp inspection validate, ip arp inspection trust (on trunk ports), ip arp inspection vlan 1, ip arp inspection vlan 30

The problem is solved with no ip arp inspection vlan 1

CONFIG :

SW1 trunk with L3 :

interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,29,30,70,80,252,262
 switchport mode trunk
 ip arp inspection trust
 speed nonegotiate
 ip dhcp snooping trust
end

interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,29,30,70,80,252,262
 switchport mode trunk
 ip arp inspection trust
 speed nonegotiate
 channel-group 1 mode on
 ip dhcp snooping trust
end

interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,29,30,70,80,252,262
 switchport mode trunk
 ip arp inspection trust
 speed nonegotiate
 channel-group 1 mode on
 ip dhcp snooping trust
end

Int f0/11 has the device with the issue and fa0/13 a device working :

interface FastEthernet0/11
 description ***IP Phone + PC***
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 30
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust dscp
 spanning-tree portfast
 spanning-tree bpduguard enable
end

interface FastEthernet0/13
 description ***IP Phone + PC***
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 30
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust dscp
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Int vlan 1 of L3 :

interface Vlan1
 description SSIT
 ip address 172.17.1.1 255.255.0.0
 no ip redirects
 ip pim sparse-dense-mode
end

Int between L3 and sw1 :

interface GigabitEthernet2/0/4
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,29,30,70,80,252,262
 switchport mode trunk
 ip arp inspection trust
 speed nonegotiate
 channel-group 12 mode on
 ip dhcp snooping trust
end

interface GigabitEthernet1/0/12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,29,30,70,80,252,262
 switchport mode trunk
 ip arp inspection trust
 speed nonegotiate
 channel-group 12 mode on
 ip dhcp snooping trust
end

interface Port-channel12
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,29,30,70,80,252,262
 switchport mode trunk
 ip arp inspection trust
 speed nonegotiate
 ip dhcp snooping trust
end

The show ip arp inspection files are attached.

Looks like that's not DAI that blocks the packet but when I disable it it's working well!